Thanks for the information.
Regarding my questions about generating certificates, I found a
different solution. Since we have OpenSSL certificates as PEM files,
I converted them to NSS databases using this procedure:
http://directory.fedora.redhat.com/wiki/Mod_nss#Can_I_use_my_existing_mod_ssl.2FOpenSSL_certificates_with_mod_nss.3F
Wan-Teh Chang wrote:
Yahel Zamir wrote:
1.
Our current server is a multi-threaded application (using pthreads),
running on a Red Hat Linux machine. It uses regular TCP socket
communcation in the clear, in full duplex. My intention is to add an
SSL handshake for every new connection, and then simply replace the
blocking calls to read() and write() with their SSL equivalents.
Do we have to create the listening socket using PR_NewTCPSocket rather
than socket()?
Yes, the recommended approach is to replace all of your Berkeley
socket API functions by NSPR's socket API functions -- use
PR_NewTCPSocket, PR_Read, PR_Write instead of socket(), read(), write().
If you have extraordinary problems doing that, you can use the
function PR_ImportTCPSocket to convert a Berkeley socket (int)
to an NSPR socket (PRFileDesc *). PR_ImportTCPSocket is declared
in the header "private/pprio.h", which suggests that it depends on
the current NSPR implementation.
Do we have to use NSPR threads instead of Pthreads?
No. NSPR threads are now simply pthreads created by NSPR.
Pthreads that are not created by NSPR can also call NSPR
functions now. They will be given an NSPR thread ID on
demand.
Do you see any other problem with this approach?
No. Just a comment: excellent OS choice.
2.
We loaded NSS 3.11.4 on a Red Hat Linux with kernel 2.4.
How do I enable valgrind to a similar memory-check tool in the build?
I haven't used valgrind for a while. I guess that you
need to use it to link the executable programs? In any
case, you most likely will need to modify this makefile:
mozilla/security/coreconf/rules.mk
which defines how we compile a .c file, how we link a
shared library or a program. You can add valgrind to
the appropriate makefile rules in that makefile.
Alternatively, you may be able to redefine the variable
CC or MKSHLIB in mozilla/security/coreconf/Linux.mk or
mozilla/security/coreconf/Linux2.4.mk to accomplish the
same thing.
By the way -
2.1 - If I would like to to avoid CVS, I can simply download the
binaries "with nspr" and build, correct?
Yes.
2.2 - it seems like the in 3.11.4 build instructions
(http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html)-
CVS checkout of NSPR should use label NSPR_4_6_4_RTM rather than
NSPR_4_6_4_RELEASE.
That's a typo. Sorry. The correct CVS tag is NSPR_4_6_4_RTM.
I just fixed it.
I'll let others answer the remaining questions. But I know
SSLsample is out of date and you should use selfserv as a sample
SSL server and tstclnt or strsclnt as a sample SSL client.
(The bugs about SSLsample are
https://bugzilla.mozilla.org/show_bug.cgi?id=330408
https://bugzilla.mozilla.org/show_bug.cgi?id=359302)
Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
